Releases: python-social-auth/social-core
4.8.7
Added
- OpenID Connect backends can now opt in to PKCE support
Changed
- PKCE defaults now match RFC 7636 requirements
Security
- Tightened redirect URL validation
- Tightened OAuth state handling for Clever, Eventbrite, GoClio, MailChimp, SurveyMonkey and Untappd backends
- SAML authentication now restores saved sessions only after response validation
4.8.6
Changed
storage.UserProtocolnow supports read-only attributes for better type-checker compatibility- Improved type annotations and enabled mypy type checking in CI
Fixed
sanitize_redirect()now handles invalid redirect values that raiseValueError- Fixed timezone handling when working with dates
Security
- Require
PyJWT >= 2.12.0to address CVE-2026-32597
Release 4.8.5
Changed
- Fixed partial pipeline handling for unauthenticated users
Donations
This project welcomes donations to make the development sustainable. The following platforms are available for funding Python Social Auth:
Release 4.8.4
Changed
- Improved type annotations
- Code cleanups
- Improved error handling in SAML
Added
- Add Azure AD(Entra ID) federated client assertion support (FIC)
Donations
This project welcomes donations to make the development sustainable. The following platforms are available for funding Python Social Auth:
Release 4.8.3
Changed
- Added registry to configure default strategy
Donations
This project welcomes donations to make the development sustainable. The following platforms are available for funding Python Social Auth:
Release 4.8.2
Changed
- The timeout parameter can be again configured
- Refactored HTTP authentication code
- Loosened some type checks for better downstream compatibility
ID_KEYis now configurable- Improved token expiry validation
- Additional OIDC parameters are now supported
- Improved refresh token logic
- Extended type annotations
- String RelayState in SAML is again supported
- Better handle OpenID exceptions
Removed
- itembase backend
- nk backend
- OAuth1 backend for Yahoo
- Do you see more backends where matching service is no longer available? Tell us to help identify unused code.
Donations
This project welcomes donations to make the development sustainable. The following platforms are available for funding Python Social Auth:
Release 4.8.1
Changed
- Fixed
extra_data()invocation fromrefresh_token() - Replaced jose with PyJWT in Ping backend
- Dropped OAuth1 backend for OpenStreetMap
Added
- OAuth2 URLs can now be overridden in the configuration
Release 4.8.0
Changed
- Fixed Gitea backend API authentication headers
- Improved
RelayStateand attributes handling in the SAML backend- Missing configured attributes now cause an
AuthMissingParametererror
- Missing configured attributes now cause an
- Changed domains for VK backend
- All API calls now include User-Agent header
- OIDC uses info from
id_tokenwhen not present in the response - Bring back option to skip and customize
at_hashvalidation in OIDC - Dropped support for Python 3.9 and added support for Python 3.14
- Invalid API token will now raise
AuthTokenError - The
extra_datamethod of backends now receives pipeline arguments aspipeline_kwargs
Added
- Auth0 OIDC backend
- Inactive users can be allowed to authenticate using
ALLOW_INACTIVE_USERS_LOGIN - Support group whitelisting in CAS
Release 4.7.0
Changed
- Fixed getting user info in LinkedIn authentication.
- Fixed okta OIDC authentication URLs.
- Dropped AOL OpenID backend.
- Improved error handling in ORCID.
- Fixed Soundcloud OAuth2 authorization.
Added
- More OIDC configuration options.
- Session restore with stricter SameSite cookie policy.
- JWT leeway configuration for some backends.
Donations
This project welcomes donations to make the development sustainable, you can fund Python Social Auth on the following platforms:
Release 4.6.1
Changed
- Fixed crash in partial pipelines for some backends
Donations
This project welcomes donations to make the development sustainable, you can fund Python Social Auth on following platforms: